Tuesday, November 20, 2012

This post may be a mixture of rants and some quick tips on how to save your web server when you suspect there is some malicious attack on it and you have limited admin access and support.

It becomes imperative to create a world writable directory if you have a web server that plots, maps data on user demand. I would like to hear more from people if they knew how to do this otherwise. I have been looking for solutions into this problem, but did not find any. Now I have settled for something that makes your web program clean its own mess.

Suppose say you have a world writable directory called /tmp/XX and some hacker has been able to put in some malicious code into it and is being able to run it. Now my solution for that is to delete the content of this folder after n hours. Just put in a small command inside your web program that runs frequently, and when that runs, the world writable folder will be cleaned.

Tuesday, November 06, 2012

Many times while working in multiple machines, you may like to automate certain processes where the programs can directly access information/data from another server effortlessly - without a password. This can be done using ssh-keygen protocol.

So, what happens here is; you have a local machine, lets call it 'A' and you have a remote machine, lets call it as 'B'. You have an account in 'B' and that is say 'myname'. Everytime you log into that machine using ssh, you have to do something like:

$ ssh myname@B

$Password:

$myname@B:

In order to directly log into a machine without a password, you have to generate a pair of keys; called as a public key and a private key. The public key is the public information and the private key is only known to your local machine i.e; 'A'. You can use ssh-keygen to create a pair of keys in a given time. This is how you should proceed:

$ ssh-keygen -t rsa

Generating public/private rsa key pair.Enter file in which to save the key (/home/Sucheta/.ssh/id_rsa): /home/Sucheta/.ssh/iicb_rsa [ Remember here to enter a new file name, else it will over write any other id_rsa file that you may have saved earlier for any other computer ]Enter passphrase (empty for no passphrase): [Enter a paraphrase that is > 4 characters long. This is essential if your computer has more than one pair of public private keys for more than one remote server]Enter same passphrase again:Your identification has been saved in /home/Sucheta/.ssh/iicb_rsa.Your public key has been saved in /home/Sucheta/.ssh/iicb_rsa.pub.The key fingerprint is:95:13:96:1b:66:ef:36:74:25:76:05:23:64:58:bb:94 Sucheta@Sucheta-PCThe key's randomart image is:+--[ RSA 2048]----+| o== o.o|| .*+ +o.o|| o++E. + || ..oo.. || S o.. || + || . . || || |+-----------------+

Then do:

$ssh-copy-id myname@B

[This command will append your public key in the ~/.ssh/authorized_keys file in the remote host. You can also do this manually by logging back to your remote computer and copy pasting your public key in the 'authorized_keys' file. Make sure your public key is copy pasted in one single line.

Another thing to remember is, depending on the OS and version, the file that needs to have the public key in the remote machine may be different. In order to confirm that it is indeed called as "authorized_keys" do the following: [root@Apala ssh]# cat /etc/ssh/sshd_config | grep Keys# HostKeys for protocol version 2#AuthorizedKeysFile .ssh/authorized_keys#AuthorizedKeysCommand none#AuthorizedKeysCommandRunAs nobody

This tells you indeed the file that stores public key in your remote computer is named as authorized_keys .

Next time you try to create another passwordless connection to another computer, just repeat the above steps. And always remember to write the public and private key into different files, else it will overwrite contents into id_rsa and id_rsa.pub file. Add a passphrase too.

One more important thing to remember is to check the file permission for "authorized_keys" file in the remote machine. Always set it to 700.

Using this, you can also automate file transfer by an sftp or any other remote ftp protocols